Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Mimail.J@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload Attempts to steal information
Detection files published 17 Nov 2003 03:00:00
Description created 18 Nov 2003 12:55:00
Description updated 18 Nov 2003 01:25:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Mimail.J@mm

Spreading

Needless to say, this file has nothing at all to do with PayPal. When run, copy itself to the Windows directory and install itself in the registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SvcHost32 = [WINDIR]svchost32.exe It will also create the files c:\pp.gif,c:\pp.hta and c:\index2.hta. The gif is a regular picture file, and the hta’s are HTML applications that pretend to be parts of a Paypal account update form. This form is shown every time the worm is run, and any personal data entered in this form will be saved in a file called c:ppinfo.sys. In addition an empty file may be created under the name c:cansend.sys.

Payload Details

Provided the worm gets contact with the Internet (it checks if it can reach www.akamai.com), the Paypal Account information (including creditcard information) will be attempted mailed out to a set of email addresses.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11